Talk Luca Moroni - Via Virtuosa Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesementOzaveščenost o varnosti spleta in kritične infrastrukture v severni Italiji: Scenariji in smernice kako opraviti samooceno

1. Konferenca za izzive vodenja, tveganj, varnosti in
revizije IKT
Ljubljana, Oktober 2016
Cyber security awareness of critical infrastructures
in N/E of Italy: scenarios and guidelines for self-
assesement
Ozaveščenost o varnosti spleta in kritične
infrastrukture v severni Italiji: Scenariji in smernice
kako opraviti samooceno
Luca Moroni, CISA, ITIL
Via Virtuosa – ISACA Venice Chapter

3. membership growth

4. ISACA VENICE research team coordinator
✔ Research n.1: Vulnerability and Penetration Test. User’s guidelines
about third party penetration test.
✔ Research n.5: Cyber Security Awareness of N/E Italian Critical
Infrastructures: Scenarios and Guidelines for self-assessment
Member of ISACA VENICE Chapter Translation team
✔ Securing Mobile Devices – ITA
Geaduation in Computer Science (1989 Milan), CISA e ITIL V3
certified and other tech certification
Focused on Cybersecurity since 2000 and lecturer in some
seminars about this topic
Founder of the innovative company Via Virtuosa, which focuses
on scouting and promotion expertise in Cybersecurity and IT
governance in NE of Italy.
Luca Moroni
Who am i

5. Giuseppe Esposito CISA, PMP, LA 27001, CSA-
STAR, 22301, 9001, ITIL-V3 Foundation, ISO2000
Foundation
Alessandro Guarino LA 27001
Pierlugi Sartori CISSP, CISM, CGEIT, CRISC,
MBCI
and
Chapter past president Orillo Narduzzo for the trust
My team in Research

6. Seminar ISACA VENICE CHAPTER
3 Oct 2014 – Venice
Dr. Marco Balduzzi (In)security of smart transportation at sea
The Automated identification System (AIS)

7. On 2014Th this question:
Have you never done an internal Cybersecurity analysis?
Where the analysis is composed of a series of processes that simulate the actions normally
performed by an employee and consultant in the internal network.
Yes
No
No need
Vulnerability Assessment e Penetration Test. User’s
guidelines in selection third parity of penetration tests

8. Disaster 9 October 1963 - Vajont Dam. During initial filling, a
massive landslide caused a man-made megatsunami in the
lake. https://en.wikipedia.org/wiki/Vajont_Dam
But if was a Company or a PA with an
impact on social life?

9. An infrastructure is considered critical in
Europe if an incident would have a serious
impact on the social life of the citizens,
that is, for example, on health, physical
and logical security or economic well-
being of citizens or the effective
functioning of the State; or it could lead
to serious social consequences or other
dramatic consequences for the
community.
What is a Critical Infrastructure (IC)?

10. • Energy
• Telecommunications
• Water
• Food
• Health
• Transports
• Banks
• Civil defence
• ALL COMPANIES IN WHICH THE DAMAGEMENT OF
SYSTEMS IMPACTS LIFE
What is an Italian Critical Sector?

11. 9/3/2014: The Italian Cabinet for the first time places first of the Cyber
Threat.
Italy has one of the highest rates in Europe of medium companies, small
and micro - enterprises, which hold assets in terms of know -how.
Two main problems :
1 ) Stakeholders using cyber tools
2 ) Small and medium-sized enterprises are far less protected
Source: http://www.agendadigitale.eu/infrastrutture/722_cybercrime-danneggia-il-sistema-italia-per-20-40-mld-annui.htm
Cyber Threat for Italian IC

12. Feb. 2016: Special attention should
be given to the legislative and
regulatory framework that
addresses issues related to the
protection of critical infrastructure
in the IC support sector.
Source: http://www.mizs.gov.si/fileadmin/mizs.gov.si/pageuploads/Informacijska_druzba/pdf/Cyber_Security_Strategy_Slovenia.pdf
Cyber Threat for Slovenia IC

13. ® White Paper 2013 Isaca Venezia
Cyber Security Awareness of Critical Infrastructures in North East of Italy: Scenario and Guidelines for self-assessment
Survey on 55 companies
The companies belonging to the sectors
critics in the Italy North East
Transports
Food
Water
Telecommuni
cations
Health
Transports
Banks
Civil Defence
Energy

14. Yes No
® White Paper 2013 Isaca Venezia
Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement
Survey on 55 companies
QUESTION: Have you ever had any IT
security problems?

15. Yes No
QUESTION: Is there a spending forecast
specifically dedicated to IT security?
® White Paper 2013 Isaca Venezia
Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement
Survey on 55 companies

16. Scenario

17. Yes No
® White Paper 2013 Isaca Venezia
Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement
Survey on 55 companies
QUESTION:
Assuming that you you have a critical infrastructure, are you
aware a violation of your IT systems may have consequences
outside your company?

18. • Regulations: decided by EU and focused around IC and its IT
security systems
• Italy also adds SMB
• Cyber attacks spread
• Principles work for all, not just for designated IC
• Approach based on risk management and to its assessment
to understand the context in which the business is located
• If the Production Plant use the same ICT technologies,
these may suffer the same risks the data room does (see
Stuxnet)
Source: BSI analysis about cyber security 2012
Factory’s scenario

19. YESTERDAY TODAY
ARCHITECTURE
physical
dedicated links
Open network
based on IP
ADSL, USB, WIFI
TECHNOLOGY
proprietary
systems using
specific protocols
Standard systems
with standard
protocols
INCIDENTS low Rapidly growing
Factory: Cybersecurity evolution

20. Factory: Cybersecurity evolution
YESTERDAY TODAY
ARCHITECTU
RE
physical
dedicated links
Open network
based on IP
ADSL, USB, WIFI
TECHNOLOG
Y
proprietary
systems using
specific protocols
Standard systems
with standard
protocols
INCIDENTS low Rapidly growing
SOURCE USA: http://www.scadahacker.com/

21. • Unauthorised use of remote manteinance services (eg. )
• Online attacks through the offices network
• Attacks to standard IT devices inthe production plant network
• DDOS attacks
• Human errors or sabotage
• Introduction of Viruses and Trojans through removable storages (USB,
cameras, mobile phones, …)
• Reading and writing of unencripted commands (VPN)
• Unauthenticated access to the factory system resources (and default
configurations)
• Violations to network devices
• Technical problems (backup configuration)
Source: BSI analysis about cyber security 2012
Factory: Top 10 Threat

22. I must prepare to
update!
What’s the
matter? It
works!
MORE INTERESTED
IN CYBERSECURITY
MORE INTERESTED
IN AVAILABILITY
Paul Steven
Production Manager vs. CIO
PROBLEM!

23. Factory Security requirements IT
Availability, Integrity,
Confidentiality
Security Priority Order Confidentiality, Integrity,
Availability
h24x365d
(Restart not possible)
Availability Office time 8h
(Restart possible)
In the worst cases very serious,
even possible victims
Company Risk Money loss
Privacy violation
Brand Reputation
10 - 20 Years Longevity infrastructure 3-5 Years
Real Time Response times Not Important
It depends on the Producer. But
long (one time every 1~4 years)
Update times Frequent and Regulars
Production & Automation Office Update responsibility IT Office
Different Standards / defined by
Nation
Security Standard International Standard
Devices (Equipment, Products)
Services (Continuity)
Security Objective Information security
Production Manager vs. CIO

24. QUESTION:
Which of these IT security elements has never taken into
consideration?
® White Paper 2013 Isaca Venezia
Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement
Survey on 55 companies

25. Hacker ROI
MORE INTEREST
IN CYBERSECURITY
MORE INTEREST
IN AVAILABILITY
Where I create
more damage
and maybe I
can blackmail a
company

26. April 30, 2016.
http://securityaffairs.co/wordpress/46824/malware/bwl-electric-ransomware.html
IC Incidents evolution
YESTERDAY TODAY

27. The level of information security will
become a value and reliable indicator for
the company.
More responsibility is required

28. WE Created 5 checklist, One for each of the five areas of
processes in which IS decomposed Management Business
Continuity For a Critical Infrastructure.
1. Preventive measures
2. Crisis Management Revision
3. Actual crisis managment
4. Follow-up (after the crisis)
5. Trainings
Our contribution: a self-assessment tool

29. First check list: Preventive measures
Preventive measures concerning the processes related to the
prevention of disasters .
Example
Area "preventive measures"
Section "Information Technology":
1.7.3.2 Critical data are stored in different places?
(This checks for backup located in multiple places )
Our contribution: a self-assessment tool

30. Second check list: Crisis Management Revision
The review of crisis management as the business environment
preparation so that there is an effective response to disastrous
situations.
Example
Area "Crisis Management Revision"
Section " Requested information and archives "
2.1.5.3 The necessary files are all at your fingertips?
(This checks for necessary files for crisis management)
Our contribution: a self-assessment tool

31. Third check list: Actual crisis managment
The management of real crisis includes the processes required to contain the
consequences of a disaster when it happens .
Example
Area "Managing the real Crisis“
Section "Treatment of critical data and archives"
3.2.9.1 The media and critical files are always kept in a fire-proof
containers and flooding?
(This checks the effectiveness of the archives and supports security measures
during a disaster )
Our contribution: a self-assessment tool

32. Fourth check list: Follow-up (after the crisis)
The follow-up allows to derive the elements of improvement of the
management system of direct experience in managing a disaster .
Example
Area "Follow -up"
4.9 It was done an inventory of damaged buildings , facilities and
equipment?
(Only when the crisis did occur, it operates a check on damaged equipment .
The follow-up is used to improve the system from the direct experience of a
crisis)
Our contribution: a self-assessment tool

33. Fifth check list: Trainings
The exercises are the response test their disaster .
Example
Area "Exercises "
Section "Generality"
5.1.3 The internal and external communication channels are tested?
(The exercises are necessary to hold the whole structure prepared to face
a possible crisis. The communication channels are one of the necessary
infrastructure to ensure efficient management of disasters )
Our contribution: a self-assessment tool

34. •Europe must impose a management of the problem and
support companies costs.
•Recognized standards, such as ISO 27001 or COBIT, are poorly
adopted by companies because it is not perceived as a value.
• Some Critical sectors (eg. Banks) already uses cybersecurity
framework standards (eg. ITA 263).
•Our check list can provide guidance to an auditor
•A Critical company must execute a Gap analysis on the
cybersecurity.
•SMB Critical Infrastructures and factories are a State
weakness
Conclusions

35. LUCA! You are always catastrophic
Why are we talking about this?

36. Why are we talking about this?
LUCA! Too much fantasy

37. Why are we talking about this?
Awareness
Italy 13-4-2016
http://www.zeusnews.it/n.php?c=24139
Italian electric generator controlled by anyone via the Internet

38. Why are we talking about this?
Awareness
Prague 25 March 2016
https://youtu.be/fwPu1hxXzNs

39. Question: Someone inquire about cybersecurity management?
CyberRisk Outsourcing in North East of Italy
Research in progress
Research 2016 – Via Virtuosa®
Cyber Risk Outsourcing in North East of Italy (Draft)
Survey on 70 companies

40. Question?

41. Thanks!
l.moroni@viavirtuosa.it
Free download
http://www.isaca.org/chapters5/Venice/Benefits/Documents/ISACA_VENICE_QUADERNI_05_INFRA_CRITICHE.pdf